SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD Kernel amd64 swapgs Bug Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1020815
SecurityTracker URL:  http://securitytracker.com/id/1020815
CVE Reference:   CVE-2008-3890   (Links to External Site)
Date:  Sep 3 2008
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.3, 6.4, 7.0
Description:   A vulnerability was reported in the FreeBSD Kernel. A local user can obtain elevated privileges on the target system.

A local user can cause the swapgs CPU instruction to be incorreclty executed, allowing the local user to execute arbitrary commands on the target system with kernel level privileges.

Systems running the 32 bit FreeBSD/i386 kernel are not affected, even if they have 64-bit capable CPUs.

Nate Eldredge reported this vulnerability.

Impact:   A local user can obtain kernel level privileges on the target system.
Solution:   The vendor has issued a fix and has provided the following solution instructions [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch
# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

The vendor's advisory is available at:

http://security.freebsd.org/advisories/FreeBSD-SA-08:07.amd64.asc

Vendor URL:  security.freebsd.org/advisories/FreeBSD-SA-08:07.amd64.asc (Links to External Site)
Cause:   State error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 03 Sep 2008 20:13:05 +0000 (GMT)
Subject:  FreeBSD Security Advisory FreeBSD-SA-08:07.amd64

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:07.amd64                                      Security Advisory
                                                          The FreeBSD Project

Topic:          amd64 swapgs local privilege escalation

Category:       core
Module:         sys_amd64_amd64
Announced:      2008-09-03
Credits:        Nate Eldredge
Affects:        All supported FreeBSD/amd64 versions.
Corrected:      2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE)
                2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
                2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
                2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name:       CVE-2008-3890

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
CPU's.  For Intel CPU's this architecture is known as EM64T or Intel
64.

The gs segment CPU register is used by both user processes and the
kernel to convieniently access state data.  User processes use it to
manage per-thread data, and the kernel uses it to manage per-processor
data.  As the processor enters and leaves the kernel it uses the
'swapgs' instruction to toggle between the kernel and user values for
the gs register.

The kernel stores critical information in its per-processor data
block.  This includes the currently executing process and its
credentials.

As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system.  If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF).  In that case, the processor aborts the return to the
user level process and re-enters the kernel.  The FreeBSD kernel
allows the user process to be notified of such an event by a signal
(SIGSEGV or SIGBUS).

II.  Problem Description

If a General Protection Fault happens on a FreeBSD/amd64 system while
it is returning from an interrupt, trap or system call, the swapgs CPU
instruction may be called one extra time when it should not resulting
in userland and kernel state being mixed.

III. Impact

A local attacker can by causing a General Protection Fault while the
kernel is returning from an interrupt, trap or system call while
manipulating stack frames and, run arbitrary code with kernel
privileges.

The vulnerability can be used to gain kernel / supervisor privilege.
This can for example be used by normal users to gain root privileges,
to break out of jails, or bypass Mandatory Access Control (MAC)
restrictions.

IV.  Workaround

No workaround is available, but only systems running the 64 bit
FreeSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386
kernel are not vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch
# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_6
  src/sys/amd64/amd64/exception.S                               1.125.2.3
RELENG_6_3
  src/UPDATING                                             1.416.2.37.2.9
  src/sys/conf/newvers.sh                                   1.69.2.15.2.8
  src/sys/amd64/amd64/exception.S                           1.125.2.2.2.1
RELENG_7
  src/sys/amd64/amd64/exception.S                               1.129.2.2
RELENG_7_0
  src/UPDATING                                              1.507.2.3.2.8
  src/sys/conf/newvers.sh                                    1.72.2.5.2.8
  src/sys/amd64/amd64/exception.S                           1.129.2.1.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs
0JZMykjScj7GbrsOlOW3uQg=
=bs1z
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC